Account Security and Theft Policy - READ THIS

In any online game with an economy, in-game items have value. These items are often sold on external real-money trading sites, and we’re doing what we can to stop these affecting Path of Exile. We're attacking their spam and the way that they get items to sell.

Unfortunately, one of the ways these shops obtain items is by stealing them from other Path of Exile players. We have received several reports of people losing items, and we can see from our logs that these end up on accounts (generally accessed by Chinese IPs) that are used to supply RMT item sites.

After several days of painstakingly investigating these cases, we've identified quite a few ways that players are having their passwords stolen. I'd like to go through them one by one and explain how players can keep themselves safe and what we can do on our end to make these attacks more difficult.

I should stress that these problems are common to most online games and that they're problems that players can prevent with good internet security practices.

Phishing Links/PMs
A phishing site is one that is set up to look just like pathofexile.com but instead sends your password to the attacker. We see people sending links to these sites in PMs or posting the links on the forum (these are often disguised as legitimate looking links). As soon as we discover these, we immediately delete them. We are probably going to change the forum and PM system so that external links either carry heavy warnings or just don’t work at all. To keep yourself safe from phishing links in the meantime, only enter your email/password on the official www.pathofexile.com site! You can tell it’s the official one by going to the login page and checking to see that your browser has a lock icon that says "Grinding Gear Games Limited" when you click it (i.e. is connecting via SSL and has a certificate proving it is us).

Malware in Cheat Programs
If you use a maphack tool (or other cheat program), we will ban you. If we don’t ban you in time, your account will be stolen due to the keyloggers that the program probably has. All maphacks that we have investigated currently have keyloggers. If you want to keep yourself safe, don’t try to cheat.

Posting Config Files
Your password (hashed, not in plaintext) is stored in your Path of Exile configuration file. Do not post this file online or allow other people access to this file. In the very near future we will make it so that this information does not allow other people to log into your account. If you want to be completely safe, untick the option that makes the game client save your password.

Non-unique Password
Don’t use the same password that you use on other services. It’s extremely common for fansites to be compromised, leaking a list of their users' email/passwords. Many of these can be used to log in to Path of Exile because people re-use passwords. Choose a new password! Make it long!

Already Compromised PC or Email account
A decent percentage of users have computers or email addresses that are already compromised and are part of a botnet. There’s nothing we can do about this. Please keep your computer clean and practice safe internet security.

Power-levelling Services
If you give someone your account details so that they can power-level your character, they’ll probably steal your items. We will ban people who accept real money for Path of Exile items and services, so it’s likely your account will be banned if they have accessed it. Do not cheat!

In addition to the above steps, we’re also planning on having access to accounts from strange IP addresses require email or cellphone verification. This will hopefully mean that even if your password is stolen, the attacker needs access to your phone or email in order to log in.

Unfortunately, we cannot restore any items lost to theft. One of the most important things about Path of Exile is its online economy, and if we performed restorations on demand then the economy would be flooded with duplicated items. We've seen this in other games (where the game companies restore compromised items and create a massive economic problem in the game).

If someone compromises your account and deletes your characters, we’re currently unable to restore these characters. We are working on changing the game so that deletions are "soft" rather than "hard", which will allow us to restore deleted characters easily. If their items are stolen, however, then the character will be empty. This feature will be available in the future but is not ready yet!

I am very sorry that our policy is no help if you've lost items or characters. I sincerely wish that I could restore them for you, but to do so would undermine one of the most important aspects of the game. If you have been compromised, I strongly suggest:

First, make sure your computer is malware free. A reformat would be the best bet. If you follow the following steps but still have malware, the attacker will just take your password again.

Make sure that your email account is secure. Change its password! Set up two-factor (i.e. cellphone) authentication with your email provider. If the email is not secure, the attacker can still steal your account

Set a Path of Exile password that is different from any other password you have used before. Make it long and complex.

Don’t enter your password anywhere except the official site and the game client. Make sure the site says "Grinding Gear Games Limited" when you click the lock icon next to the address.

Don’t download untrusted software or click untrusted links.

We take security very, very seriously. The website and game client both use secure encrypted sessions to handle logins. We don’t store credit card information on our servers. Passwords are stored hashed and salted. Even the backups of your data are encrypted so that thieves can't get anything if they steal the backups.

Please take steps to make sure your accounts are safe. It pains me greatly every time I read about lost items that we can't replace. With some development time on our end (as outlined above) and good security on the part of our users, your accounts will be much more secure and the item sales sites won't be able to steal our items.

Due to the way the skill system works, I must ask you to consider some method or policy that will allow you to restore skill gems to players if they are stolen. A high level is worthless without leveled skills to back it up. 4-6 damage on a fireball is worthless when an enemy has 4000 health.

Perhaps untradable versions, only acquirable through replacement? Allow players to continue playing without affecting the economy.

Due to the way the skill system works, I must ask you to consider some method or policy that will allow you to restore skill gems to players if they are stolen. A high level is worthless without leveled skills to back it up. 4-6 damage on a fireball is worthless when an enemy has 4000 health.

Perhaps untradable versions, only acquirable through replacement? Allow players to continue playing without affecting the economy.

I disagree, gems are worth much less than items, due to their predetermined stats. And you will reach lvl 20 gems way before you can reach lvl 100 character (or even 90). Restore a high lvl charater worth much more to me

In addition to the above steps, we’re also planning on having access to accounts from strange IP addresses require email or cellphone verification. This will hopefully mean that even if your password is stolen, the attacker needs access to your phone or email in order to log in.

In addition to the above steps, we’re also planning on having access to accounts from strange IP addresses require email or cellphone verification. This will hopefully mean that even if your password is stolen, the attacker needs access to your phone or email in order to log in.

So basically Steam Guard?

yes, the basic procedure is so simple that most companies use it, call it google authenticator, steam guard or "i sms you when someone accesses your account".

already see a problem coming with masses of users hammering support with: my account says it's locked to another ip-address and i can't access the email account i have stated / have bricked my cell phone.
in all of these cases ggg support cannot unblock the account because there is no verification that the claim is valid except supporters who gave their home address to ggg to get the swag shipped to them.

either way, the company will burn alot of money on support which is better spent on development but i appreciate the added security if it is optional.

@chris: there are alot of technical terms in the post i'm sure most people don't understand. but hey, this is a hardcore arpg for only the best of the best of the best and you can always learn more!!1

I guess items dont have unique IDs you can follow.. so when you restore the stolen item you actually move it from the stash of the thieve.

Anyway, thanks Chris for the post.

I think they can follow items. Chris has mentioned it before, especially in relation to banning RMT users. Perhaps the problem is that they might not have a way to manually remove and restore items. That, or the process of removing/restoring items is too problematic.